mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
FIX Privilege escalation through Group and Member CSV upload (SS-2013-004)
See http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/
This commit is contained in:
parent
68ca47b0dd
commit
46556b609e
@ -86,7 +86,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
|
||||
return $item->getBreadcrumbs(' > ');
|
||||
}
|
||||
));
|
||||
|
||||
|
||||
$fields = new FieldList(
|
||||
$root = new TabSet(
|
||||
'Root',
|
||||
@ -100,34 +100,42 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
|
||||
. ' database'
|
||||
)
|
||||
)
|
||||
),
|
||||
new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3),
|
||||
new LiteralField(
|
||||
'MemberImportFormIframe',
|
||||
sprintf(
|
||||
'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" frameBorder="0">'
|
||||
. '</iframe>',
|
||||
$this->Link('memberimport')
|
||||
)
|
||||
)
|
||||
),
|
||||
$groupsTab = new Tab('Groups', singleton('Group')->i18n_plural_name(),
|
||||
$groupList,
|
||||
new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3),
|
||||
new LiteralField(
|
||||
'GroupImportFormIframe',
|
||||
sprintf(
|
||||
'<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" frameBorder="0">'
|
||||
. '</iframe>',
|
||||
$this->Link('groupimport')
|
||||
)
|
||||
)
|
||||
$groupList
|
||||
)
|
||||
),
|
||||
// necessary for tree node selection in LeftAndMain.EditForm.js
|
||||
new HiddenField('ID', false, 0)
|
||||
);
|
||||
|
||||
// Add import capabilities. Limit to admin since the import logic can affect assigned permissions
|
||||
if(Permission::check('ADMIN')) {
|
||||
$fields->addFieldsToTab('Root.Users', array(
|
||||
new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3),
|
||||
new LiteralField(
|
||||
'MemberImportFormIframe',
|
||||
sprintf(
|
||||
'<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" frameBorder="0">'
|
||||
. '</iframe>',
|
||||
$this->Link('memberimport')
|
||||
)
|
||||
)
|
||||
));
|
||||
$fields->addFieldsToTab('Root.Groups', array(
|
||||
new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3),
|
||||
new LiteralField(
|
||||
'GroupImportFormIframe',
|
||||
sprintf(
|
||||
'<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" frameBorder="0">'
|
||||
. '</iframe>',
|
||||
$this->Link('groupimport')
|
||||
)
|
||||
)
|
||||
));
|
||||
}
|
||||
|
||||
// Tab nav in CMS is rendered through separate template
|
||||
$root->setTemplate('CMSTabSet');
|
||||
|
||||
@ -195,6 +203,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
|
||||
* @return Form
|
||||
*/
|
||||
public function MemberImportForm() {
|
||||
if(!Permission::check('ADMIN')) return false;
|
||||
|
||||
$group = $this->currentPage();
|
||||
$form = new MemberImportForm(
|
||||
$this,
|
||||
@ -225,6 +235,8 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
|
||||
* @return Form
|
||||
*/
|
||||
public function GroupImportForm() {
|
||||
if(!Permission::check('ADMIN')) return false;
|
||||
|
||||
$form = new GroupImportForm(
|
||||
$this,
|
||||
'GroupImportForm'
|
||||
@ -306,7 +318,7 @@ class SecurityAdmin extends LeftAndMain implements PermissionProvider {
|
||||
/**
|
||||
* The permissions represented in the $codes will not appearing in the form
|
||||
* containing {@link PermissionCheckboxSetField} so as not to be checked / unchecked.
|
||||
*
|
||||
*
|
||||
* @deprecated 3.1 Use "Permission.hidden_permissions" config setting instead
|
||||
* @param $codes String|Array
|
||||
*/
|
||||
|
@ -26,6 +26,10 @@ a custom start up script will still process all flush requests as normal.
|
||||
### Security: Privilege escalation through Group hierarchy setting (SS-2013-003)
|
||||
|
||||
See [announcement](http://www.silverstripe.org/ss-2013-003-privilege-escalation-through-group-hierarchy-setting/)
|
||||
|
||||
### Security: Privilege escalation through Group and Member CSV upload (SS-2013-004)
|
||||
|
||||
See [announcement](http://www.silverstripe.org/ss-2013-004-privilege-escalation-through-group-and-member-csv-upload/)
|
||||
## Upgrading
|
||||
|
||||
* If you have created your own composite database fields, then you should amend the setValue() to allow the passing of
|
||||
|
Loading…
Reference in New Issue
Block a user